July 2012 Special 6-month Edition

Threat and Spamscape Report

July 2012

What We've Seen So Far in 2012

So far in 2012 we've already witnessed a great amount of activity targeting many facets of all of our
everyday lives. We've seen some minor wins for the good guys in the face of some major adversity from
the bad guys. We've also witnessed the uncovering of a few apparent government sponsored cyberattacks
that have really made people sit up and notice. Also, we've seen many appearances from the top
contenders in the malware world; Zeus, SpyEye, and the Blackhole toolkit have been the most
prominent names this year on the malicious cyber front. Here are a few of the other highlights from the
first six months of 2012:

As more and more people are using smart phones, we're seeing more and more spam and
malware targeting these devices. With increased functionality comes increased risk.

Zeus has been one of the big three once again thus far into 2012. Even though the source code
was apparently given to the author of the SpyEye toolkit, we're still seeing many variants making
their circulation that are independent of SpyEye. We've seen campaigns pretending to be
banking security updates, we've seen them pretending to be fake receipts, and we've even seen
Zeus hide some possibly inane environmental propaganda within one of their campaigns.

Speaking of Zeus, we saw an interesting variant on the morning of May 23rd cycle through. This
particular campaign brought a little extra fun to the party in addition to its normal MO. A fake
anti-virus scam by the name of Smart Fortress 2012 was also included, something we hadn't
seen riding on board with Zeus before.

In addition to Zeus, the Blackhole crime toolkit has quickly made its way among the heavy
hitters. It's sold on the underground forums for cheap and it's readily available for all that know
where to pick it up. One campaign of interest in April even leveraged the exploit of the Blackhole
toolkit to create a foothold, and installed the Zeus Trojan once it was inside.

In the wake of the big Stuxnet/Duqu worm discoveries of last year, another very complex piece
of code was discovered targeting Iran and North Africa this year. It was dubbed Flame, and has
kept the media closely tuned in to government sponsored "Cyber warfare".

The identities of the Koobface gang were discovered early this year and their attack on users of
Facebook ceased rather abruptly as their images and identities were released to the world.

The SpyEye toolkit is one of the most expensive available on the underground market
specifically for its effectiveness and support from its creator. It is for these reasons that we often
see several campaigns originating from this tool on nearly a daily basis. One of these in
particular leveraged what appeared to be a rather pricey online pizza order confirmation.

As is the usual as tax deadlines approached in the U.S., financially themed malware campaigns
started hitting our filters at full speed. One of these in particular utilized the popular financial
software company Intuit as a disguise.

Total Email Traffic Volume

This chart represents both total and spam traffic throughout the first 6 months of 2012. Spam levels
were on the decline during the first 5 months of the year but in June, spam levels starting to pick back
up and we saw the first month over month rise in spam of 2012. So far this year we have quarantined
10.6 billion spam messages.

Tests Failed

This chart represents the number of times messages failed various tests over the past 6 months. Keep in
mind that many messages failed multiple tests; hence the total from these charts will surpass the total
individual pieces of spam seen during the year thus far.

Regions of Origin

This graph represents both spam and malicious email traffic by region. We have seen an uptick in spam
messages emanating from Asia during the first half of 2012.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated during the first 6 months of 2012.
The US and India were by far the world leaders in spam output.

Top Email-Delivered Viral Threats

These are the top 20 malware threats we saw last 6 months in order of frequency, with the most
frequent appearing in the top position. The virus names that begin with "X." signify rules that were
written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have
definitions in place for these viruses; it simply means that AppRiver often had protection in place before
many of them).

X.HTM.Java.BH.4512

X.W32.Oficla-A1020.pak

X.W32.bredo.pak.416.a

X.HTM.Java.BH.410.sm

X.W32.kryp.621.pak.a

X.UPX.App.pakuber

X.W32.bredo.hp.45a

X.W32.Bredo.App.pakc

X.W32.Zbot.OVD.pak

X.TorSin.htm.217

X.W32.PX.pakb

X.UPX.App.pakuberc

X.Mal\BredoZp-B-5.12DHLEr

X.W32.Mytob.App.pak

X.W32.kryp.621a

X.W32.PECxt.a

X.W32.kryp.619a

X.W32.Kryptik.dhl.065a

X.W32.troj.banker.spy.615

X.W32.Androm.58a

6 Month Virus Activity

This chart represents email-borne virus and malware activity during the first 6 months of 2012, as seen
by AppRiver filters. After a very slow start to 2012, Q2 was defined by a huge spike in malicious emails
being sent out. Of the 104 million malicious emails that we have quarantined so far this year, nearly 87
percent were in the second quarter of 2012. Additionally, a growing number of cybercriminals are now
opting to attempt to infect users by way of malicious URL links within emails rather than the traditional
method of delivering executables inside attachments.

Image Spam

The chart below represents total Image spam seen by AppRiver filters so far during 2012. Image spam
was on the decline in Q2 of 2012.

A Surge in Smartphone Spam

Remember the days when spam was free? Forget the fact that everyone
hates it and had just now gotten used to the fact that it was constantly
aiming for your inbox. Now these pesky messages are everywhere,
including your phone. And they're not just annoying anymore. They're
actually costing unlucky recipients money.

For many, every text to their phone translates to another little charge on
their bill. Spammers are cashing in on this on the ease in which users can
follow links in SMS messages. The texts are growing more and more
prevalent, offering free gift certificates, iPads, and iPhones. Just for fun,
we took the bait to find out what one of these campaigns was up to.

It appears we were randomly selected, which is sort of true. These
spammers are using automated dialers to send these out en masse. Don't
be tricked into responding to them or clicking on the links. If you respond, they'll often be able to tell
that they've got a live one, and you'll quickly become a favorite.

This particular campaign is simply an attempt to trick its victims into willfully accepting their unrelenting
"marketing" blasts. They never really give anyone anything, nor does it seem that they ever offer
anything real. Often times though, these links can lead to malware.

The mobile market is a growing target for these guys as operating systems become more and more
predicable (read: iOS/Android). In this case, it works in the same way as another shady practice called
"Pay Per Install". The PPI business is all over the place as exemplified by those sneaky toolbars that
people accidentally install with other software. In the PPI business, people will become affiliates for
other software makers. Some are legitimate; others not so much. The affiliate gets a tiny fee for every
unique installation of the software. To make big bucks however, affiliates need to send these things to
as many people as possible.

This is the same model now being used by text spammers. The person blasting out these texts are
affiliates trying to rip people off. The affiliate ID is appended to the back of the URL in the link above.
Every time a unique IP visits that website, this affiliate makes a little money. Anyone following the link
would be redirected to about six or seven different sites, each one with a different affiliate ID. (This is
likely the same person attempting to use and capitalize on several different programs at once.)

Usually these are survey scams that trick people into receiving several very high cost text messages, but
this one only offered a convenient way to purchase from their affiliates, continue making purchases
from them, and then make some more. When the user catches on and stops buying, the company can
say that the victim broke the contract so they won't have to send them anything.

Just in case somehow a person did legally stay true to their ridiculous demands, they also have a clause
that says "Company reserves the right to substitute a product of comparable value for the reward.
"Comparable value" shall be determined by Company :"in its sole discretion". "Company" doesn't even
have a name. Also included is an agreement to accept their future spam onslaught, which was certainly
not legal in the first place thanks both to the CAN-SPAM Act as well as the Telephone Consumer
Protection Act. We're not exactly sure how binding this electronic contract is, but they've certainly put
forth the effort.

Zeus Continues its Reign

Zeus has been plaguing us for quite some time now and has come to us in many different forms. One in
particular proved to be a little more than met the eye. This one was a little different, but the difference
wouldn't have been noticed without a deeper look into its devious inner workings. Just when we began
to think that our old friend Zeus, the banking credential stealing scourge, was just a shallow one-sided
thief, something like this happens. During the first week of January we saw several varieties of the Zeus
banking Trojan hit our filters, but this one in particular came with a bonus environmental message
hidden within.

On the outside this Trojan was dressed up as a "Credit Notification" from Wells Fargo informing
recipients that their accounts had been credited $11,000.00! Wow, that's a lot, and for those who may
believe that this must be some sort of mistake, the authors of the email attached handy details of the
transaction in a file suitably named "transaction&details.zip".

Once executed, the attachment went to work embedding itself on the victim's machine. A file by the
name of unve.exe was created in multiple instances that opened up network connections and was in
charge, along with a batch file by the name of tmp6f953619.bat, of monitoring and stealing banking
credentials.

There was one curious behavior that happened behind the scenes, however. The malware also opened a
network connection, silently downloaded a Jpg file from a DropBox account, and left it on the newly
infected PC. The image was entitled "climate_killing_banks.jpg" and depicted a bar chart of the top 20 banks that have financed coal
electricity and coal mining since 2005. Obviously a chart created to point out those banks who contribute to negative environmental
impact, or perhaps a chart created by the coal industry to point out their best supporters, it could go either way. This image was never
opened or displayed during infection, it was simply left behind for someone to find later. This is certainly an interesting message from
these thieves, one that says "We may be robbing you blind, but we have real concerns too. Let's make
this a better world to live in" (Or something like that).

Zeus Brings a Little Something Extra to the Party

Early on May 23rd we saw a new payload peppered in with the many Zeus and SpyEye offerings. It
appeared to be a new version of the already infamous toolkit known for stealing financial data. In
addition to performing the same behind the scenes malicious activities such as stealing browser cookies,
ftp credentials, banking login credentials, and general keylogging, this version added a new flavor to the
mix. This one included what appeared to be a new brand of Fake AV or Ransomware on top of what it
had already been offering. Let's start at the beginning:

These arrived as emails pretending to be from PayPal. The emails claimed that the recipient had made a
payment to some random person whose name changed from email to email. The amount sent was
usually a pretty large number, in the hundreds of dollars range. Once this was successful at grabbing the
victim's attention, they would then likely be persuaded into clicking one of the several links included to
supposedly contact PayPal to see what's going on. Once clicked the malware went right to work
contacting an abundance of various domains which would then begin downloading and installing various
components of the malware. This particular variant contacted an initial 16 different domains to gather
its wares.

Among the actions we now consider normal for Zeus such as making copies of itself and injecting itself
into running processes, Zeus also disables
error messages, firewalls and existing Anti-
Virus solutions just before it presented the
newly infected with what it called Smart
Fortress 2012. The new Fake Anti-Virus
software then started and appeared as if it
was scanning the new system and then
began displaying a long list of "infections".
Though it is true that this machine would
indeed now be infected, it was not by
anything that the fake software had
displayed. Now, not only was Zeus stealing money beneath the surface, but it was also trying to get its
victims to willingly turn some over in order to regain control of their computers. Little did they know
that attempting to appease the Fake AV by paying for "malware removal" would only result in losing
more money and keeping all of the same infections. The best thing to do for users who saw this Smart
Fortress pop-up would have been to disconnect all network connections and hope that their backup was
up to date.

For some reason this particular Smart Fortress addition to Zeus only ran for a couple of hours before we
stopped seeing it. After that Zeus continued on up to its old tricks, shedding the fake Anti-Virus
technique. These things do come and go, and the fake AV thing has been used many times in the past. It
is possible that Zeus had rented out some temporary space in its payload to another group, or that they
were just trying something a little different.

One Bad Egg

Another somewhat flashy malware campaign we saw in April was one pretending to be a purchase
receipt again, but this time from newegg.com. As everyone likely may know, NewEgg is an online shop
for everything computer - a parts and peripheral place that most people have likely ordered from at
least once. Here again the receipt doesn't provide details on exactly what was supposedly purchased,
but it did provide links where one could "contact" them with questions. These links went to where one
might expect by now, not to the NewEgg staff, but to one of many websites containing a custom crafted
index.html page with exploit code from the Blackhole toolkit. Among many downloaded exploits and
bits of malware, this particular infection also led to the creation of a file by the name of 7zBY7xS.exe.
This file is recognized as being a variant of the Zeus family of malware. With these two power hitters
sharing the same stage, it's apparent that this particular malware run was really up to no good.

'Flame' Trojan, another Piece of Government Sponsored Malware?

A recently-discovered piece of malware dubbed "Flame" appears
to be a highly sophisticated espionage toolkit that is currently
making its way around targeted systems. The malware goes to
work by spying on infected systems and capturing a large amount
of information. To date, infections are concentrated in Iran and
other countries in the Middle East and North Africa. Flame has
capabilities to exfiltrate all types of data including documents
stored on host machines, record keystrokes, take screenshots
and even activate microphones and listen in on conversations. It appears that this is another statesponsored
infection such as Stuxnet or Duqu. However, Flame does not appear to have the same
author.

What's particularly disconcerting from a security standpoint is that Flame went undetected for nearly
two years. We wrote about targeted malware attacks in AppRiver's 2012 Prediction Report and
discussed the high probability that if in the wrong hands, targeted malware could become weaponized:

Targeted Malware - Stuxnet and Duqu raised more than a few eyebrows as they may have done
more than unwillingly steal the top of the headlines this past year. These incredibly complex
pieces of malware made their way to specific targets with incredible swiftness and accuracy.
There's no doubt that this type of attack whether it be government sponsored or otherwise will
remain at least as prevalent if not more so in 2012. The Flame toolkit also shows evidence of
state sponsorship though it almost assuredly has different authors and a less focused goal. It's
highly complex code gives analysts a strong feeling that this is no ordinary malware, but instead
something that was meant to gather as much information as possible from its intended targets.
It is obvious now that cyberspace has been weaponized and we will continue to see attacks of
this fashion as long as they remain effective.

Stuxnet, Duqu and Flame are great examples of an era in which we now live in where cyber-war and
cyber-espionage are becoming more mainstream and successfully exploiting infected systems. And
unfortunately, we can expect to see more of these types of threats grow in sophistication and regularity
in the years to come.

The Gig is Up for the Koobface Gang

Chalk up another win for the good guys this year so far! Thanks to the tireless efforts of the Facebook
Security Team, five men have been ousted as the people behind the Koobface family of malware that
had plagued Facebook for several years now. These five men were traced to St. Petersburg, Russia
where they were living high on the hog. Their eventual undoing was through a sloppy mistake made on
one of their command and control severs. First the person responsible for the C&C's upkeep accidentally
left a service available which allowed any visitor to view inbound traffic data, and after that, analytics
software installed on the machine led researchers to the Koobface main server in charge of pushing out
all major updates. Once this IP was realized, the ball started rolling. Domains that were hosted on the
same server were then linked to two of the five men involved with the malware distribution ring.
Ironically, the gang's favorite infection vectors, social networks, were then used to put all of the pieces
together utilizing information that the participators left out in the open on these sites and others. Now a
wealth of information has been collected on these men, and Russian authorities have been informed.
Even though none of the men have yet to be arrested, their C&C server has been brought down, and
Koobface is no more. Now we just wait until the foreign authorities do the right thing.

SpyEye Tries its Hand in the Pizza Business

Another interesting and unique ploy by the bad guys this month came in the form of an itemized receipt
that claims the addressee had just ordered a pizza. On the 24th we saw right around a million pieces
from this campaign alone, coming in at a rate of 1500 per minute at its peak. The pizza order varied from
email to email but was always a rather large one with a rather hefty price tag. Toward the end of the
order was this line: "If you haven't made the order and it's a fraud case, please follow the link and cancel
the order." Most went ahead and clicked the "Cancel Order Now" link, since they hadn't ordered an
overpriced pizza.

Out of the million or so emails, the "Cancel Order Now" links were sharing references to 40 different
domains. All of them hosted a page that displayed the heading "WAIT PLEASE" in bold letters followed
by "Waiting..." below. Beneath the surface though, the page was running three different scripts
attempting to download and run another script by the name of "js.js" from three different places. All of
these did the same thing and the redundancy was in case any of the three sites went down.

The "js.js" script pulled down several files from the IP 208.117.43.8 which is located in Chicago, IL. All of
these belonged to the SpyEye family. Among the ones pulled down was a pdf exploit as well as a Java
exploit. Once these weaseled their way into the newly infected system, a myriad of further downloads
and communications took place, including a couple of components that made encrypted POSTs to
91.121.84.204 in France.

SpyEye became somewhat infamous in the underground economy when it appeared on the scene three
years or so ago and went against then front runner Zeus. Both of these were being sold as automated
malware toolkits on underground forums. The authors of these toolkits were in competition with one
another until the author of Zeus sold his source code to the SpyEye author who then incorporated it into
his kit. Zeus is still available for purchase, but it has been replicated and reused by many different
groups, especially since the code was released. As a result there are many different unsupported
versions going around.

SpyEye, on the other hand, is available at a cost of around upwards of $10,000 US. This version is
specifically customized and supported by the author. The cost of the kit often comes with a year's
license and the author will answer any questions to help users get it off the ground. He will also help to
repack its payload into new undetected variants as many times as necessary for the length of the
license. This just goes to illustrate the professionalism on both sides of the coin.

Intuitive Malware

It isn't uncommon to see financially themed malware year-round; however, as the US tax deadline
approaches, we tend to see much more of it. Early on in the month of April, as well as a few weeks
beforehand, we were seeing a lot of these malware
campaigns pretending to be emails from the do-ityourself
accounting software company Intuit. This
particular campaign was disguised as a receipt from
Intuit Marketplace, an online service where people
can order business materials such as checks,
business cards, and tax forms among other things.
As is often the case, this receipt is rather generic
and fails to itemize the recipient's apparent order,
nor does it give a cost. It does give two different
options to find out about this mysterious Intuit
order though, one is to call the provided 900
number at a rate of $4.79 per minute, or there's a
link from which you can download the complete
order. The charged phone call option is there most
certainly to steer people towards the download
link. Once this has been clicked, the victim would have then been secretly redirected through several
different websites containing a slew of exploits. Specifically, malware that attempted to pierce
unpatched holes in Java as well as a pdf exploit. Once the compromise is achieved, the victim's
computer was then taken under control of its attackers.